Late last week, the California legislature approved five bills intended to clarify the scope and required compliance obligations of the California Consumer Privacy Act (CCPA or the Act). Organizations now have just over three months to determine whether they need to comply with the newly amended CCPA, assess what their obligations are, and implement the policies, procedures, and operational changes necessary to comply with the law.
- The amendments clarify that, at least for 2020, this consumer privacy law will apply to personal information of employees, job applicants, and contractors and personal information collected through certain business-to-business interactions but only in certain respects.
- The amendments add flexibility to the processes that businesses may use for receiving and verifying consumer access and deletion requests.
- The amendments exclude from CCPA applicability certain processing of consumer report data is already governed by the federal Fair Credit Reporting Act.
- The amendments clarify how encryption and redaction may play into the private right of action for data breaches.
- The amendments confirm that properly deidentified or aggregate data is not personal information under the Act.
Notably, an amendment relating to customer loyalty programs, AB 846, did not pass. This leaves organizations with questions about whether and how they can continue to offer loyalty programs to California consumers.
For more detailed information about these CCPA amendments, please see Reed Smith’s expanded analysis at ReedSmith.com.
- The governor is expected to sign the bills into law before the October 13, 2019, deadline, and, if signed, they will go into effect on January 1, 2020, along with the rest of the CCPA.
- The attorney general of California will publish regulations to establish procedures to facilitate consumers’ rights under the CCPA and provide compliance guidance before July 1, 2020.
- The California legislature will continue to analyze additional changes to the CCPA during their 2020 session, especially in light of the sunset provisions regarding employee/contractor/job applicant and B2B representative data.
Due to the continued sweeping nature of the CCPA, businesses, service providers, and third parties regulated by the CCPA should continue to identify the personal information they have, the purpose for using and sharing the personal information, and the recipients of such information. They should also focus on how they will respond to consumer access and deletion requests and their contractual relationships with service providers and third parties. While the California legislature’s decisions regarding employee data may have provided businesses with some breathing room, there is still plenty of work to be done before January 2020.